Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ComboFix Log For Acer Computer with malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ComboFix Log For Acer Computer with malware

Unread postby dcrobins » July 30th, 2010, 10:37 pm

Problem: Acer Computer has rootkit malware in Service RasAcd file C:\windows\system32\DRIVERS\RASACD.SYS. Was able to remove over 100 other viruses but not the rootkit trojan. Please help. ComboFIx log below. Cannot install antivirus software with this rootkit.

ComboFix 10-07-29.04 - Marc Lebesque 07/30/2010 21:21:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.767.341 [GMT -4:00]
Running from: c:\users\Marc Lebesque\AppData\Local\Temp\Temp1_ComboFix.zip\ComboFix.exe
AV: Live Security Suite *On-access scanning disabled* (Updated) {245F4CD3-9DDA-4562-B8AA-3FABDF69AD79}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\driver
c:\program files\webserver
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\AutoRun.inf
c:\windows\system32\config\systemprofile\AppData\Local\0535049569854.xxe
c:\windows\system32\config\systemprofile\AppData\Local\0995154505553.xxe
c:\windows\system32\config\systemprofile\AppData\Local\KBDLemf.dll
c:\windows\system32\config\systemprofile\AppData\Local\rdr_1182429275.exe
c:\windows\system32\config\systemprofile\AppData\Local\rdr_1182432438.exe
c:\windows\system32\config\systemprofile\Desktop\spam001.exe
c:\windows\system32\config\systemprofile\Desktop\spam003.exe
c:\windows\system32\config\systemprofile\Desktop\troj000.exe
c:\windows\system32\df1a245s4_2360.exe
c:\windows\system32\msvcrt2.dll
c:\windows\system32\o.dat

Infected copy of c:\windows\system32\DRIVERS\RASACD.SYS was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVERDRV
-------\Legacy_PDRV


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Mom\AppData\Local\temp
2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-31 01:42 . 2010-07-31 01:42 -------- d-----w- c:\users\Brooke\AppData\Local\temp
2010-07-31 01:41 . 2010-07-31 01:41 -------- d-----w- c:\users\Arden\AppData\Local\temp
2010-07-31 01:40 . 2010-07-31 01:53 -------- d-----w- c:\users\Marc Lebesque\AppData\Local\temp
2010-07-31 01:40 . 2010-07-31 01:40 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-31 01:55 . 2008-12-21 14:21 -------- d-----w- c:\users\Marc Lebesque\AppData\Roaming\LimeWire
2010-07-31 01:54 . 2009-01-08 23:19 -------- d-----w- c:\users\Marc Lebesque\AppData\Roaming\DNA
2010-07-31 01:54 . 2007-06-17 17:20 -------- d-----w- c:\program files\DNA
2010-07-31 01:01 . 2009-12-09 18:59 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 15:21 . 2009-10-03 06:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-02 23:33 . 2010-05-02 23:33 262144 ----a-w- c:\programdata\ntuser.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 21:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-02 39408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2007-06-17 323392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-01-31 630784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-31 4669440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-04-08 104408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-02 39408]

c:\users\Marc Lebesque\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IMVU.lnk - c:\users\Marc Lebesque\AppData\Roaming\IMVUClient\IMVUClient.exe [2008-12-4 49408]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-9-18 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AVPath"="\\\\.\\root\\SecurityCenter:AntiVirusProduct.instanceGuid=\"{245F4CD3-9DDA-4562-B8AA-3FABDF69AD79}\""

R2 gupdate1c9adb578c67e50;Google Update Service (gupdate1c9adb578c67e50);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 133104]
R3 XDva219;XDva219;c:\windows\system32\XDva219.sys [x]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-04-08 632792]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 01:51]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 01:51]

2010-06-03 c:\windows\Tasks\Norton Security Scan for Arden.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-18 16:54]

2010-07-31 c:\windows\Tasks\User_Feed_Synchronization-{0A45ACF2-2097-4FF9-924B-D0B3729EA314}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService
AddRemove-Win Antispyware Center - c:\program files\SystemDefender2010\Win Antispyware Center.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\RtHDVCpl.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
.
Completion time: 2010-07-30 22:03:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-31 02:03

Pre-Run: 183,105,748,992 bytes free
Post-Run: 187,176,468,480 bytes free

- - End Of File - - D37BBB79CAFFB756F88BDE56A0E6D60B
dcrobins
Active Member
 
Posts: 1
Joined: July 30th, 2010, 9:36 pm
Advertisement
Register to Remove

Re: ComboFix Log For Acer Computer with malware

Unread postby NonSuch » July 31st, 2010, 3:54 am

ComboFix is not a tool that is intended to be used without the direct supervision of a qualified expert. To use ComboFix on your own is to court disaster for your computer. Please stop all attempts at self-fixes for your system's issues as that may only confuse the issue further and cause additional problems as well.

In order for us to help you it is necessary that you provide us with a HijackThis log. Please follow the guideline at the link below to start a new topic and post your HijackThis log. Also include your ComboFix log in the same post.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 311 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware